ContentSecurityPolicy has a back pointer to ScriptExecutionContext.
That means we shouldn't share a single ContentSecurityPolicy object
between multiple ScriptExecutionContexts. This patch copies the state
from one ScriptExecutionContext to another rather than sharing the
ContentSecurityPolicy object itself.

This resulted in a subtle but w.r.t. blocking eval. Because we block
eval by setting a bit in the JavaScript engine when enforcing the
policy, that bit wasn't copied along with the rest of the state when we
were sharing the ContentSecurityPolicy object. Now that we use the
more robust ContentSecurityPolicy::copyStateFrom function, we don't
have that bug.

The standard format of commit messages and ChangeLog entries has a
short summary in the first line, followed by the bug URL in
Bugzilla. Passing "%s" in the pretty format line to git-rev-list
merges these two lines into a single one separated by a space
character, which is not what we want.

Since "%s%n%n%b" is in practice "%B" (raw message), use it
instead, as the first two lines do not end up being merged
together.

No new tests. Covered by existing tests: fast/images/png-extra-row-crash.html in
particular.

platform/image-decoders/png/PNGImageDecoder.cpp:

(WebCore::PNGImageDecoder::rowAvailable): Use colorChannels consistently. Split
the useful libpng comments in two, then place the early-out code and conditions
inbetween. The png variable is only used in one place so move it there.

We only free bytes allocated to a RenderArena when destroying the Document.
Histogram both the render tree size and the total bytes allocated. This
gives a better sense of the overhead of RenderArena as well as giving a more
accurate number for the amount of actual memory used by the render tree.

No new tests. This is not webfacing, so this can't be tested without adding
API to layout test controller, which doesn't seem worth it for this code.

My Perl-fu is very weak. This moves the feature option list off into a separate module
file so that I can easily autogenerate just that file with the fancy new generate-feature-files command.
It's a bit odd to have an array which we return out to build-webkit to modify, but it turns out
not to matter. Also, build-webkit doesn't actually use any of the variables we're using to
store the results from the option parse, so those end up inaccessible from build-webkit (except by reference)
which is actually cleaner. Callers can't assume that they would get a new array every time, but someone
with more Perl-fu than I could create something fancier than this if we need in the future.

As discussed at the W3C WebAppSec face-to-face meeting, there's no
point in blocking about:blank iframes or objects because blocking a
frame or object just results in displaying about:blank anyway. This
patch just removes the spurious console message and violation report.

The old approach relied on pkg-config for finding Cairo (which
introduced a dependency on pkg-config that could be avoided), used
the LibFindMacros code that we should probably remove in the
future and did not use the FindPackageHandleStandardArguments
module.

Change all that by rewriting the module.

Use the pkg-config output optionally instead of requiring it

like LibFindMacros did.

Remove the implicit dependency on FreeType which often found it

the wrong way via pkg-config and without considering
CMAKE_PREFIX_PATH.

Retrieve the Cairo version by looking at cairo-version.h instead

of relying on pkg-config. It requires some additional code for
checking if the desired version has been found, but that will not
be needed once we start depending on CMake 2.8.3 or later.

The only downside is that FPHSA sets <UPPERCASED_NAME>_FOUND
instead of <Name>_FOUND, and to keep things consistent
Cairo_LIBRARIES and Cairo_INCLUDE_DIRS have become CAIRO_LIBRARIES
and CAIRO_INCLUDE_DIRS.

The sorting assumes that the column header name matches a field
in the testResults object and uses that field for sorting.
Filter the bugs out of the modifiers list and put them in a bugs field
and only put the non-bug modifiers in the modifiers list.

Update IDBObjectStore.openCursor, IDBIndex.openCursor,
IDBIndex.openKeyCursor, IDBDatabase.transaction,
IDBCursor.direction, IDBTransaction.mode, and
IDBRequest.readyState to meet the latest spec. All of these APIs
now support string-based values in addition to the
legacy/deprecated enum-based values.

Remove these last two odd-men-out, so that we can generate the default feature options
for build-webkit using the new generate-feature-files command.
The Mac build system has some special casing for ENABLE_ defines which gets them
defined as -D on the build command, even though initially they start out as
environment variables ENABLE_FOO = ENABLE_FOO. The Feature options in build-webkit
depend on this support, but it doesn't work for WTF_USE_ defines like WTF_USE_WTF_URL.
I'm told that WTF_URL is not actively being worked on, so just removing it for now.
It should probably come back to life as an ENABLE_, or build-webkit or the Xcode projects
should be made generically smarter about these USE_WTF defines.
(There is still WTF_USE_TILED_BACKING_STORE in the feature list, but it only seems
used by Qt. If someone tried build-webkit --tiled-backing-store on Mac today it
would not work!)

Chromium still supports Leopard (for a little while yet), but AppleMacWebKit dropped
Leopard support several months ago. Remove the last bits of isLeopard() branching
in our Perl scripts, since no one is using this (Chromium has never used this Perl code).

r93938 had a bug where floating point numbers where compared exactly,
exposing a bug when floating point precision was not sufficient. This
change compares against an epsilon value to get around these precision
issues.

Currently reportAbandonedObjectGraph causes the Heap to think it is closer to its
allocation limit for the current cycle, thus hastening an allocation-triggered collection.
In reality, it should just affect the opportunistic GC timer. We should track the bytes
we think have been abandoned and the bytes that have been allocated separately.

heap/Heap.cpp: Added a new field m_abandonedBytes to Heap to keep track of how much

we think we've abandoned.
(JSC::Heap::Heap):
(JSC::Heap::reportAbandonedObjectGraph):
(JSC):
(JSC::Heap::didAbandon): Added this function for reportAbandonedObjectGraph to call
rather than didAllocate. Works the same as didAllocate, but modifies bytes abandoned rather
than bytes allocated. Also notifies the timer, summing the two values together.
(JSC::Heap::collect):
(JSC::Heap::didAllocate): Now adds the bytes allocated and bytes abandoned when reporting
to GCActivityCallback.

Locking performance tests (like we do for http tests) will force them
to run in serial. This reduces the load of the machine when running perf
tests and minimizes the chances of the tests to fail, specially
timeouts.

It looks like we may be getting an IOError raised during
select() on chromium mac, and that error isn't being caught.
Pushing it into the try/catch block will hopefully catch this
and allow us to see why the subprocess is crashing.

(WebKit):
Set the interface sizes for WKBundlePageFormClient; version 1 includes
willSendSubmitEvent.

Shared/APIClientTraits.h:

Declare a specialization for WKBundlePageFormClient.

WebProcess/InjectedBundle/API/c/WKBundlePage.h:

Bump the WKBundlePageFormClient version number.

Tools:

TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:

Added new files to project.

TestWebKitAPI/Tests/WebKit2/WillSendSubmitEvent.cpp: Added.

(TestWebKitAPI::didReceiveMessageFromInjectedBundle):
Look for the "DidReceiveWillSendSubmitEvent" message. The message body
will be the dictionary of form control names and values passed to the
injected bundle's willSendSubmitEvent handler; look for the pairs
"textField" -> "text field" and "passwordField" -> "password field".
Check that "hiddenField" is not included.
(TestWebKitAPI::setInjectedBundleClient):
(TestWebKitAPI::TEST):

TestWebKitAPI/Tests/WebKit2/WillSendSubmitEvent_Bundle.cpp: Added.

(TestWebKitAPI::willSendSubmitEvent):
Post a message to the TestWebKitAPI process with the dictionary of form
control names and values that we received.
(TestWebKitAPI::WillSendSubmitEventTest::WillSendSubmitEventTest):
(TestWebKitAPI::WillSendSubmitEventTest::didCreatePage):
Set up the page's form client.

Modifies TouchpadFLingGestureCurve to use an exponential, rather than polynomial, curve.
This change appears to improve the overall feel of touchpad fling, and substantially
improves small-fling performance.

FractionalLayoutUnit is a new type that uses an integer to represent a fraction of a pixel.
We're also adding a feature flag -- ENABLE_SUBPIXEL_LAYOUT -- that toggles this fraction
between 1/1 and 1/60. Initially, all platforms will default to subpixel layout being off,
so FractionalLayoutUnits will effectively continue to act as integers.

With ENABLE_SUBPIXEL_LAYOUT turned on, FractionalLayoutUnits accumulate error from sub-pixel
CSS values and applied zooming, and painting uses pixel-snapping to align these values
to pixels. See ​http://trac.webkit.org/wiki/LayoutUnit for details.

In a number of previous patches, LayoutUnits were plumbed throughout the rendering tree
to prepare for this change. This included a number of functions in LayoutTypes.h and
the IntRect/Point/Size classes that were effectively no-ops while LayoutUnits were
integers. Subsequent patches will remove unnecessary versions of these functions; see​http://webkit.org/b/84616 for tracking these changes.

Xcode used to have a bug whereby it didn't notice if you changed the #defines
passed on the command line to xcodebuild. I wrote code to work around this
while bringing up SVG support 5-6 years ago. I think we can finally remove this
code from build-webkit, since SVG is the only feature flag to ever use it
(modern in-progress features like MathML don't seem to be using the support)
an I suspect the XCode bug has long been fixed.

r114283 added logic that allows compositing layers to avoid allocating their own
backing store and to paint into an ancestor instead. However, that caused
assertions in RenderLayer::updateClipRects() about m_clipRectsRoot being
incorrect, because clip rect code assumed that compositing layers
always painted themselves.

Fixed by calling paintsIntoCompositedAncestor() in RenderLayer::clippingRoot(),
so that clip rect computation matches painting.

I wasn't able to easily make a test that reproduces the assertion in DRT.

Rename SVGImageCache::SizeAndZoom to SVGImageCache::SizeAndScales, as it carries more than just zoom now.

Pass the product of the device and page scales through everything that takes a SVGImageCache::SizeAndScales,
using it to inflate the size of the buffer created in lookupOrCreateBitmapImageForRenderer,
and to inflate the destination rectangle passed to SVGImage::draw, which will cause a transformation
on the context being drawn into.

Invalidate the SVGImageCache entry on device/page scale changes in addition to zoom changes.

(ServerProcess.init): Remove the executive parameter as it was
not passed by any caller, obtain a SystemHost from port_obj
instead.
(ServerProcess._log): Style, remove extra empty line.
(ServerProcess._start):
(ServerProcess.stop):
(ServerProcess.kill):

Scripts/webkitpy/layout_tests/port/server_process_unittest.py:

(TrivialMockPort.init): Create a MockSystemHost used by
ServerProcess.
(TestServerProcess.test_broken_pipe): Test different platforms.

The spec defines the behavior for generated keys up to 253
(the maximum integer storable as an ECMAScript number) and
the error case when going beyond that. Ensure that we can
handle values up to that point and generate errors beyond.

Use the cloneForCSSOM() mechanism in CSSValue to expose CSSImageValue to bindings as a URI
primitive value. This matches the specced behavior of computed image values, and restores our
previous behavior without having CSSImageValue subclass CSSPrimitiveValue.

Also added a failsafe return after the isCSSOMSafe() assertion in the JSC bindings, since it's
better to expose an incorrect return value than an insecurely shared one, should we have or add
bugs in this code.

bindings/js/JSCSSValueCustom.cpp:

(WebCore::toJS):

css/CSSImageValue.cpp:

(WebCore::CSSImageValue::cloneForCSSOM):

css/CSSImageValue.h:

css/CSSValue.cpp:

(WebCore::CSSValue::cloneForCSSOM):

LayoutTests:

Update fast/css/image-value-type.html to reflect that CSSImageValue are now exposed
as primitive values in the CSSOM.

(WebCore::HTMLFormControlElement::removedFrom): Only set the invalid ancestor flag.
The element will be detached from the document so there is no need to update the style.
And the validation message will be hidden by the blur event.
(WebCore::HTMLFormControlElement::willValidate): Because of the change to removedFrom,
m_ancestorsValid may be false.

Change RenderLayerCompositor to always use overlap testing when possible.

Rather than turn off overlap testing wholesale when encountering a non-affine
transform, or starting an accelerated transform animation, we constrain
the disabling of overlap testing to within overflow:hidden areas when possible.

Tests: compositing/layer-creation/overlap-animation.html

compositing/layer-creation/overlap-transforms.html

rendering/RenderLayerBacking.cpp:

(WebCore::RenderLayerBacking::setCompositedBounds): Whitespace fix.

rendering/RenderLayerCompositor.cpp:

(WebCore::CompositingState::CompositingState):
(CompositingState): Add a member boolean to track whether we're testing overlap. Add a copy
constructor.
(WebCore::RenderLayerCompositor::updateCompositingLayers): Initialize the 'testing overlap'
setting based on m_compositingConsultsOverlap (though this will always be true until removed
in a future commit).
(WebCore::RenderLayerCompositor::updateBacking): No longer turn off overlap testing
when we see a non-affine transform.
(WebCore::RenderLayerCompositor::computeCompositingRequirements): No need for the 'struct'
in the arguments.
Consult compositingState.m_testingOverlap to see if we want to test overlap.
Use the new CompositingState copy ctor for childState, but set m_subtreeIsCompositing to false
as before.
If this layer is composited, look to see if need to disable over lap testing based on
the transform or an animation.
Just as we propagate m_subtreeIsCompositing, we have to propagate m_testingOverlap=false
for the rest of the traverse.
If we've just processed a layer which clips compositing descendants, we can go back
to testing for overlap.
(WebCore::RenderLayerCompositor::didStartAcceleratedAnimation): No need to do anything
here now. It will be removed in future.
(WebCore::RenderLayerCompositor::hasNonAffineTransform): No longer check
perspective here, since that doesn't affect whether _this_ layer should disable
overlap testing. Checking for a non-affine transform is sufficient.
(WebCore::RenderLayerCompositor::isRunningAcceleratedTransformAnimation):
New method to check if AnimationController is running a transform animation.

rendering/RenderLayerCompositor.h:

(RenderLayerCompositor):

LayoutTests:

Reviewed by Antti Koivisto.

Two new tests that check for layer creation outside of an overflow:hidden
stacking context.

Updated results for other tests whose results are affected by the
'compositingConsultsOverlap' flag; their layers are now constrained to
the viewport.

In flipped blocks writing modes, flipping was being applied twice to box descendants of
inline children of the flipped block, once during RenderBox::mapLocalToContainer, and then
again by RenderInline::mapLocalToContainer. The fix is to make the latter only apply the
flip to local coordinates originating in the inline or a descendant inline. This is done
by adding a parameter of type ApplyContainerFlipOrNot, which defaults to ApplyContainerFlip
but is reset to DoNotApplyContainerFlip in recursive calls into mapLocalToContainer().

Each parse value helper function was checking whether the value string was empty. For the
common case this check is already done by StylePropertySet::setProperty(). So this patch
make CSSParser::parseValue() assume the value string is not empty, and fix the other two
clients.

Test: fast/html/font-face-empty-should-not-crash.html

css/CSSParser.cpp:

(WebCore::parseColorValue): Replace the string empty check by an ASSERT() to document
function's expectations.
(WebCore::parseSimpleLengthValue): Ditto.
(WebCore::parseKeywordValue): Ditto.
(WebCore::CSSParser::parseFontFaceValue): This will be covered by the added test.
(WebCore::CSSParser::parseValue):

css/WebKitCSSMatrix.cpp:

(WebCore::WebKitCSSMatrix::setMatrixValue): This is already covered by
transforms/cssmatrix-2d-interface.xhtml.

(WebCore::SelectorChecker::SelectorChecker):
Setting the default value for the enum member m_mode to ResolvingStyle.

(WebCore::SelectorChecker::checkSelector):
Instead of verifying against the bool m_isCollectingRulesOnly, we now check whether or not
m_mode is set to ResolvingStyle.

(WebCore::SelectorChecker::checkOneSelector):
Instead of verifying against the bool m_isCollectingRulesOnly, we now check whether or not
m_mode is set to ResolvingStyle. Also, for the pseudo-elements case we check if its
value is set to QueryingRules in which case we return false.

css/SelectorChecker.h:

(WebCore::SelectorChecker::mode):
Returns the mode (m_mode) value.

(WebCore::SelectorChecker::setMode):
Sets the mode (m_mode) to the passed enum value.

Replace gdk_init() initialization call with the g_type_init()
call. GdkPixbufLoader doesn't actually need the current call to be
made and this change will also remove crashes when ImageDiff
is started in an environment without a DISPLAY env.

Fix a typo in the original test and update the expectations.
The purpose of this test is to verify that region styling is NOT enabled for inline elements. The test was passing
because region styling rule was not applied due to incorrect region selector.

The corrected test makes sure that region styling rule has the right region selector and can be applied to the first region in the test file.

The API added for DOMWindowExtension, didCreateGlobalObjectForFrame, would create a global object
for every world, even those that did not need the callback. This had the side effect of creating a
JSDOMWindowShell that the associated world didn't necessarily know to clean up. Instead of creating
unnecessary objects change the API to globalObjectIsAvailableForFrame and do not pass the global object
in the API. The object can be accessed later by those worlds which require it.

Follow-up patch: Add const Foo& foo() const accessors to SVGAnimatedType,
to avoid the "Foo& foo = animated->foo()" idiom in all cases where we
don't need to mutate 'foo'. Use "const Foo& foo = animated->foo()" instead.
Inline all of these methods to avoid the function call overhead.

For to-animations we actually mutated the from value before, but it wasn't a
problem in practive, as we did that on every animation step. Fully avoid these
inconsitencies by never mutating the from/to types stored in SVGAnimateElement.

Cache toAtEndOfDurationType just like m_toType/m_fromType in SVGAnimateElement,
to avoid reconstructing it on every animation step.

What's expected?
Two times should be contained in the 'begin' times list in SVGSMILElement: m_beginTimes = { 0s, 2s }.
The initial first resolved interval is: m_intervalBegin=0.0s, m_intervalEnd=8.0s.

During t=0s..1.9999s the m_intervalBegin/m_intervalEnd are correct.
At t=2s, a new interval can be started. m_intervalEnd should be set to nextBeginTime, where nextBeginTime=2s.
The current interval should get cropped to: m_intervalBegin=0s, m_intervalEnd=2s. The following call to
resolveNextInterval() sees that elapsed >= m_intervalEnd, and thus moves on to the next interval.
m_intervalBegin should be 2s and m_intervalEnd=10s after that.

In trunk this behavior is only partly implemented and broken. Especially broken together with seeking via SVGSVGElement.setCurrentTime.
That's because we don't correctly seek to the right interval in case of multiple begin values, eg. if we sample an animation with
begin="0s; 3s" dur="6s" we always remain in the first interval and don't move on.

Fix all of these issues, making lots more tests work in Dr. Olaf Hofmanns SVG Animation test suite.

Don't add small opaque areas (smaller than 160x160) to the occlusion
tracker's Region objects to avoid high Region::unite() costs.

We would like Region to just be fast enough that this isn't a concern,
and there are patches in flight to do this, but at the moment, small
opaque areas add significant cost if there is many of them, for
potentially small gains since they do not cover entire tiles.

notifications/DOMWindowNotifications.idl: Wrap webkitNotifications as part of legacy API.

notifications/Notification.cpp: New permission functions are wrapped with ENABLE(NOTIFICATIONS)

(WebCore::Notification::taskTimerFired): Use the new permission functions to determine whether we can show the
notification.
(WebCore::Notification::permissionLevel):
(WebCore::Notification::permissionString): Declare three static locals for each of the values, and return
based on the permission enum.
(WebCore::Notification::requestPermission): Forward request to client.

WebCoreSupport/WebNotificationClient.mm: Add a separate callback
variable depending on the notifications API enabled.
(WebNotificationClient::requestPermission): Add
NotificationPermissionCallback version of the same
function. And refactor common code into private function.
(-[WebNotificationPolicyListener initWithCallback:]): Refactor to
take the NotificationPermissionCallback as a parameter.
(-[WebNotificationPolicyListener initWithVoidCallback:]): Add new
init method to handle legacy API.
(-[WebNotificationPolicyListener allow]): Invoke the callback for
both variables. If only one of the APIs is enabled, we are
guaranteed that the relevant callback variable exists. If both
APIs are supported, it is possible that _voidCallback will be nil
if the callback is NotificationPermissionCallback, so we need the
extra pointer check.
(-[WebNotificationPolicyListener deny]): Ditto.

(WebKit::NotificationPermissionRequestManager::startRequest): Add version to support both kinds of
callbacks.
(WebKit::NotificationPermissionRequestManager::cancelRequest):
(WebKit::NotificationPermissionRequestManager::didReceiveNotificationPermissionDecision):

WebProcess/Notifications/NotificationPermissionRequestManager.h: Add another map for new callback type.

(NotificationPermissionRequestManager):

WebProcess/Notifications/WebNotificationManager.cpp:

(WebKit::WebNotificationManager::show): Add #ifdef to use replaceId() or tag() depending on which feature
has been enabled. In the case where both are enabled, we prefer tag() since that is in the latest spec.

The PreprocessorDefinitions line is still not sorted, but I'll do that in a separate patch.
There is no functional change in this patch. Just moving the defines around.
Its interesting to me that now that it's sorted and I can easily compare this with other
ports and found that a whole bunch of defines which should be on for Cairo are off,
likely due to Cairo simply being overlooked. These oversights should be easy to avoid
in an autogenerated world.

I have a script which can autogenerate these xcconfig files as well as the
vsprops files (and soon the Chromium, cmake, gnumake and qmake) feature lists
from a central feature list file.
In preparation for posting such a tool, I'm re-sorting these xcconfig files to be
alphabetically ordered (currently they're close, but not quite).
There is also at least one inconsistency between these files (CSS_LEGACY_PREFIXES) which
I will fix in a second pass. I will also sort the FEATURE_DEFINES = line in a follow-up patch.

Blur filters move pixels around, so a pixel can influence the value of
pixels at some distance away. If a pixel is not occluded, then all
pixels within the radius of the blur may influence the value of that
pixel, so they should also stay unoccluded.

For background filters, the pixels are read from the filter's target
surface, so we remove occlusion from that target surface from pixels
that will blur into visible pixels.

Writing warnings to stderr when FractionalLayoutUnits overflow on debug builds instead of asserting
and crashing. It can be very useful to WebKit developers know when overflow is occurring, but it's
not always a programming error, so assert wasn't the right action.

These tests iterate over all properties in the global scope and their respective properties.
These tests are different on all platforms because they depend on build flags.
Each feature should be covered by a more specific test than a global catch all that breaks
every time anyone touches any IDL file.

(WebCore::HTMLFormElement::prepareForSubmission):
Get the form field names and values, and use them to create a FormState
object. Pass this object when calling dispatchWillSendSubmitEvent().
(WebCore::HTMLFormElement::getTextFieldValues):
Loop over the associated elements, looking for <input> elements.
Collect their names and values.

(WebCore::Page::Page):
Initialize new call count member.
(WebCore::Page::setDefersLoading):
Check whether the callers wants balanced defer/resume loading behavior.
If the call count is not changing from 0 to 1 or 1 to 0, return early.
Otherwise, defer or resume loading for frames in this page.

page/Page.h:

(WebCore::Page::defersLoading):
Added a member to hold the call count.

page/Settings.cpp:

(WebCore::Settings::Settings):
Initialized new member m_wantsBalancedSetDefersLoadingBehavior.

Change Length and CSS length computation to floating point. This gets us
closer to the goal of supporting subpixel layout and improves precision
for SVG which already uses floating point for its layout.

This change makes computedStyle return fractional values for pixel values
if a fraction is specified. It also changes the result of computations
where two or more values with fractional precision. Prior to this change
the result of Length(2.9) + Length(2.9) would be 4 as each value would be
floored. With this change the result is 5 as the addition is done with
floating point precision and then the result will be floored. Once we
enable subpixel layout the resulting value in this example would be 5.8.

If a value is sufficiently close to the next integer round it up to
ensure that a style rule such as "width: 4.999px" evaluates to 5px
instead of 4px. This is needed as, although Lengths are using floating
point, the layout system still uses integer precision and floors the
Length values.
This will change once we move to FractionalLayoutUnits but for now this
is needed to ensure compatibility with the existing system and tests.

Without this specialized rounding logic we fail a handful of tests
including acid3.

platform/Length.h:

(WebCore::Length::value):
(Length):
(WebCore::Length::intValue):

rendering/RenderTableCell.cpp:

(WebCore::RenderTableCell::styleOrColLogicalWidth):

LayoutTests:

Reviewed by Eric Seidel.

Change Length and CSS length computation to floating point. This gets us
closer to the goal of supporting subpixel layout and improves precision
for SVG which already uses floating point for its layout.

This change makes computedStyle return fractional values for pixel values
if a fraction is specified. It also changes the result of computations
where two or more values with fractional precision. Prior to this change
the result of Length(2.9) + Length(2.9) would be 4 as each value would be
floored. with this change the result is 5 as the addition is done with
floating point precision and then the result will be floored. Once we
enable subpixel layout the resulting value in this example would be 5.8.

We're still seeing crashes in the FrameLoader where the FrameLoader's
state is "provisional" but there is no provisional document loader. I
added code to update the FrameLoader's state everytime the provisional
document loader is cleared, and added checks that the FrameLoader's
state can't be set to provisional without a provisional loader.

If the crashes go away, or the newly added checks reveal the culprit,
we should relex the checks to use ASSERT() instead of CRASH().

Opportunistic GC is punishing us severely in limited memory situations because its
assumptions about how much time a collection will take are way out of whack when the Heap
has been paged out by the OS. We should add a simple detection function to the Heap that
detects if its is paged out. It will do this by iterating each block of both the MarkedSpace
and CopiedSpace. If that operation takes longer than a fixed amount of time (e.g. 100ms),
the function returns true. This function will only be run prior to an opportunistic
collection (i.e. it will not run during our normal allocation-triggered collections).

In my tests, steady state was drastically improved in high memory pressure situations (i.e.
the browser was still usable, significant reduction in SPODs). Occasionally, a normal GC
would be triggered due to pages doing things in the background, which would cause a
significant pause. As we close pages we now cause normal collections rather than full
collections, which prevents us from collecting all of the dead memory immediately. One
nice way to deal with this issue might be to do incremental sweeping.

heap/CopiedSpace.cpp:

(JSC::isBlockListPagedOut): Helper function to reduce code duplication when iterating over
to-space, from-space, and the oversize blocks.
(JSC):
(JSC::CopiedSpace::isPagedOut): Tries to determine whether or not CopiedSpace is paged out
by iterating all of the blocks.

heap/CopiedSpace.h:

(CopiedSpace):

heap/Heap.cpp:

(JSC::Heap::isPagedOut): Tries to determine whether the Heap is paged out by asking the
MarkedSpace and CopiedSpace if they are paged out.
(JSC):

heap/Heap.h:

(Heap):
(JSC::Heap::increaseLastGCLength): Added this so that the GC timer can linearly back off
each time it determines that the Heap is paged out.

heap/MarkedAllocator.cpp:

(JSC::MarkedAllocator::isPagedOut): Tries to determine if this particular MarkedAllocator's
list of blocks are paged out.
(JSC):

heap/MarkedAllocator.h:

(MarkedAllocator):

heap/MarkedSpace.cpp:

(JSC::MarkedSpace::isPagedOut): For each MarkedAllocator, check to see if they're paged out.

heap/MarkedSpace.h:

(MarkedSpace):

runtime/GCActivityCallback.cpp:

(JSC::DefaultGCActivityCallback::cancel):
(JSC):

runtime/GCActivityCallback.h:

(JSC::GCActivityCallback::cancel):
(DefaultGCActivityCallback):

runtime/GCActivityCallbackCF.cpp: Added a constant of 100ms for the timeout in determining

whether the Heap is paged out or not.
(JSC):
(JSC::DefaultGCActivityCallbackPlatformData::timerDidFire): Added the check to see if we
should attempt a collection based on whether or not we can iterate the blocks of the Heap in
100ms. If we can't, we cancel the timer and tell the Heap we just wasted 100ms more trying to
do a collection. This gives us a nice linear backoff so we're not constantly re-trying in
steady state paged-out-ness.
(JSC::DefaultGCActivityCallback::cancel): Added this function which, while currently doing
exactly the same thing as willCollect, is more obvious as to what it's doing when we call it
in timerDidFire.

If a layer becomes composited because it needs to clip composited
descendants, or if it has perspective, then it doesn't actually
needs its own backing store; its contents can be painted by an
ancestor, and we can just have an empty layer that does the clipping
or applies the perspective transform.

This change adds some ASSERTs on RenderLayer that prevent any use of its lists if they
are dirtied.

On top of this change, we added an invariant that non-stacking contexts should have their
z-index lists NULL (instead of empty or NULL previously). This is enforced at
updateZOrderLists time as we now ensure that it is called in a timely manner.

rendering/RenderLayer.cpp:

(WebCore::RenderLayer::calculateLayerBounds):
Added call to updateLayersIfNeeded as we will query them later and there is no guarantee
that they are not dirty (we recurse in our children as part of calculateLayerBounds).
This was causing the new ASSERTs to trigger on css3/filter/ tests.

(WebCore::RenderLayer::dirtyZOrderLists):
Added a comment as to why we can't ASSERT that we are in a stacking context here.

(WebCore::RenderLayer::rebuildZOrderLists):
Added an ASSERT that we only rebuild z-index lists for dirtied stacking context.

(WebCore::RenderLayer::updateLayerListsIfNeeded):
Updated to ensure that the reflection layer has its layers updated too. This was triggering
the new ASSERTs on fast/runins/run-in-layer-not-removed-crash.html.

(WebCore::RenderLayer::updateCompositingAndLayerListsIfNeeded):
Updated to use the new isDirtyStackingContext function.

rendering/RenderLayer.h:

(WebCore::RenderLayer::isDirtyStackingContext):
New helper function. Also made updateLayerListsIfNeeded() the only way
to update layer. That should prevent any misuse.

(WebCore::RenderLayer::posZOrderList):
(WebCore::RenderLayer::negZOrderList):
(WebCore::RenderLayer::normalFlowList):
ASSERT that we don't query any of the previous lists if they are dirty. Also
enforce the invariant that non-stacking contexts should have NULL z-index lists.

(WebCore::RenderLayer::clearZOrderLists):
New function to clearZOrderLists so that we can enfore the previous invariant.

(WebCore::RenderLayer::updateZOrderLists):
Updated to clear the dirty flag and the z-index lists for non-stacking context.

(WebCore::RenderLayerCompositor::updateLayerTreeGeometry):
(WebCore::RenderLayerCompositor::canBeComposited):
Disabled compositing on RenderLayer in flow thread. Because flow thread's
RenderLayer are not collected as part of RenderLayer's lists and could be composited,
this was causing the new ASSERTs to trigger (e.g. on fast/regions/webkit-flow-renderer-layer.html).

This change implements a poor man's select() that will
slow-spin doing non-blocking reads on the stdout and stderr
named pipes connecting the worker to the driver. Seems to work
and I have yet to see much overhead or ill effects but it
probably needs more testing.

The spec defines the behavior for generated keys up to 253
(the maximum integer storable as an ECMAScript number) and
the error case when going beyond that. Ensure that we can
handle values up to that point and generate errors beyond.

r115880 replaced the direct use of sys.platform with a
PlatformInfo object. Dirk Pranke later told me SystemHost objects
should be preferred, as nothing out of webkitpy.common.system
should create its own PlatformInfo instances.

Scripts/webkitpy/common/system/systemhost_mock.py:

(MockSystemHost.init): Make it possible to specify a custom
filesystem object.

Scripts/webkitpy/style/checkers/png.py:

(PNGChecker.init): Accept a host object instead of a
filesystem one, which is now obtained from host.
(PNGChecker._config_file_path): Retrieve PlatformInfo from
SystemHost.

Scripts/webkitpy/style/checkers/png_unittest.py:

(PNGCheckerTest.test_init): Adjust calls to PNGChecker to its new
constructor signature.
(PNGCheckerTest.test_check): Ditto.

This patch also fixes bugs 72834 and 47781. The main problem is that correct preferred
logical widths are affected by operator stretching. Thus we add a call to
setNeedsLayoutAndPrefWidthsRecalc() after the stretching code in
RenderMathMLOperator.cpp, and change RenderMathMLBlock and RenderMathMLRow to make sure
that stretching of children is done before an <mrow>'s preferred logical widths are
computed.

Remove stretchToHeight() from most classes as it no longer needs to be done
recursively. We just call it on the base of an embellished operator, and that
calls setNeedsLayoutAndPrefWidthsRecalc() to mark itself and its container
chain.

See ​http://trac.webkit.org/changeset/85945 for background on the line
I'm changing. With clang, GXX_EXPERIMENTLAL_CXX0X is set in c++11
mode, but MSVC's c++ library doesn't have a tr1/memory header. So also
check for GLIBCXX, like it's done in the rest of this file.

Another part of the work towards replacing direct sys.platform
usage with PlatformInfo.

Scripts/webkitpy/layout_tests/run_webkit_tests_integrationtest.py:

(MainTest.setUp): Move the setting of SHOULD_TEST_PROCESSES
here. Even though it is costlier, unittest.setUpClass was
introduced in Python 2.7.
(MainTest.test_child_processes_2): Use self.SHOULD_TEST_PROCESSES.
(MainTest.test_child_processes_min): Ditto.
(MainTest.test_exception_raised): Ditto.
(MainTest.test_keyboard_interrupt): Ditto.
(MainTest.test_crash_log): Check for PlatformInfo.is_mac().
(MainTest.test_web_process_crash_log): Ditto, and remove duplicate
check at the end.
(MainTest.test_no_http_tests): Remove check for (cygwin && Python
2.5.2), as we only support Python 2.6+.

PR: 153232
When we search the best node for block zoom, if the initial node's new
scale exceeds the maximum block zoom scale, we will try to walk through
it's ancestors and pick the acceptable one. But the reality is that the
acceptable ancestor's size can be too close to the size of the actual
contents, we will do nothing for it. As we will still select the
minimum of the new scale and the maximum block zoom scale as block zoom
scale, we can ignore such kind of node and use the initial node instead.

The memory allocation size (in bytes) is fed from LayerRendererChromium memory allocation changed callback
handler to CCLayerTreeHost. At that point we adjust the limits, using the existing notions of preferred and
max limits.

On android, the preferred limit is half the maximum (as it has always been), but on all other platforms the
preferred limit is now equal to max, in order to allow more agressive prepainting.

Finally, android has memory constraints dependant on viewportSize, but that logic has been pushed into
the GpuMemoryManager.

When writing test results for a reftest mismatch, also take into account the
difference percent that is produced when generating image diff. This value is
then used when creating test results in the form of dictionaries, stored under
the 'image_diff_percent' key. It ultimately ends up in JSON results data,
providing additional information about the reftest difference.

Scripts/webkitpy/layout_tests/controllers/manager.py:

(interpret_test_failures): Store the diff percent for reftest failure under the
'image_diff_percent' key.

Scripts/webkitpy/layout_tests/controllers/test_result_writer.py:

(write_test_result): Also set the new diff_percent attribute of the reftest
mismatch failure to the value of the difference percent ImageDiff outputs.

Scripts/webkitpy/layout_tests/models/test_failures.py:

(FailureReftestMismatch.init): Add the new diff_percent attribute with the
default value of None.

The crash was caused by indentIntoBlockquote's passing a bad outerBlock to moveParagraphsWithClone.

When the position is created after blockquote in the following DOM:
BODY

BLOCKQUOTE style=margin: 0 0 0 40px; border: none; padding: 0px;

E

#text "\nx\n"

VisiblePosition's constructor (of startOfContents) turns the position into a legacy position (blockquote, 0).
The crash occurs because this position doesn't belong in the same paragraph as E, which is the paragraph
we're trying to move into the blockquote.

Fixed bug by calling positionInParentAfterNode instead of positionAfterNode for now. We should eventually be
able to use positionAfterNode here once VisiblePosition's constructor starts handling before/after positions
properly.

fast/layers/no-clipping-overflow-hidden-added-after-transform.html
fast/layers/no-clipping-overflow-hidden-added-after-transition-expected.html
fast/layers/no-clipping-overflow-hidden-added-after-transition.html
fast/layers/no-clipping-overflow-hidden-hardware-acceleration-expected.html
fast/layers/no-clipping-overflow-hidden-hardware-acceleration.html
(and all the tests that will need to be rebaselined)

r110072 changed the way we create layers to lazily allocate overflow: hidden ones
based on layout overflow. However with hardware acceleration, certain operations
do cause overflow without actually calling layout (the test cases added as part
of this change are using transition / animation). This means that those cases
wouldn't properly clip.

Due to the above issue and the other regressions from r110072, the easiest fix is
to just to roll it out.

rendering/RenderBox.h:

Changed to allocate a layer whenever we have an overflow clip.

rendering/RenderBox.cpp:

(WebCore::RenderBox::scrolledContentOffset):
(WebCore::RenderBox::cachedSizeForOverflowClip):
Reverted those 2 to avoid using the cached size logic.

Added support for color filters in TextureMapperGL. Blur and shadow would be done in a
different patch.

Modified BitmapTexture::applyFilters to return a texture, since GL cannot paint a texture
into itself.
Created a shader map for standard filters, since all of them work more or less the same way
with a single uniform. Added the colorization shaders based on the W3C filter spec, as
already implemented in FEFilterRenderer.cpp and FEColorMatrix.cpp.
We use two swapping textures to render the filters.

When the editor state changes we have to inform the input method about changed
properties so that it can issue a new input method query. Otherwise it may use old values
from other QQuickItems or other incorrectly initialized data.

Also use isActiveFocus() instead of hasFocus() to detect whether we're actively focused.
This is also what QQuick uses internally to determine whether it can make calls to the input method
or not.

Standard extension scripts injected to the Chromium background page should have
correct script data which means that context debug id should be already set on
the context where they are compiled before the compilation. This patch moves
assignment of context debug id earlier where it is known that no scripts have
been evaluated in the context.

Rather than checking options to see whether we're running pixel tests
the pixel_tests argument passed to GtkDriver._start should be used as
it also covers cases when pixel tests should be run because of testing
reftests. This again creates different Xvfb processes with proper
display IDs for a worker that's performing both ordinary and pixel
tests, as was the case before changes made in r114788.

No need to update viewport arguments when the body element is inserted into the Document.
Viewport arguments are updated first when the Document is set on the Frame, and later
on any subsequent occurence of the viewport meta tag in the document.
It is sufficient to dispatch viewport update once per main frame, if no viewport meta tag is present.

Also add a flag to be able to track viewport argument update dispatch.

Check if script execution is still paused before trying to resolve an
object for script popover because execution may be resumed after popover
showing is scheduled but before we start resolving the object under
the cursor in which case there is no selected call frame any more and
we should hide the popover.

Progress value needs resetting, when WebProcess crashes.
This patch moves crash logic for loading to QtWebPageLoadClient. It
also simplifies the callback function names in QtWebPageLoadClient, as they
all valid only for main frames.

The objective is to pass Isolate around in V8 bindings.
This patch adds an Isolate parameter to setJSWrapperForXXX()
and passes Isolate to setJSWrapperForXXX() in CodeGeneratorV8.pm.
I'll pass Isolate to setJSWrapperForXXX() in custom bindings
in a follow-up patch.

This change reverts back to using processingUserGesture() instead
of DOMWindow::allowPopUp(). This fixes incorrect behavior in
at least the Chromium port and is consistent with the cited
definition of "allowed to show a pop-up":

An algorithm is allowed to show a pop-up if, in the task in which the algorithm is running, either:

an activation behavior is currently being processed whose click event was trusted, or

Enable ctrl-arrow moves caret by word in visual order in non-Windows platforms that use ICU word
break iterator (it is not enabled for WinCE and Qt where ICU is not used). For those platforms, ctrl-arrow
moves caret to word break position before spaces. For example, given a logical text "abc def hij", the word
break positions using ctrl-left-arrow from rightmost position are "|abc |def |hij".
The word break positions using ctrl-right-arrow from leftmost position are "abc| def| hij|".

Test: editing/selection/move-by-word-visually-mac.html

editing/EditingBehavior.h:

(EditingBehavior):
(WebCore::EditingBehavior::shouldEatSpaceToNextWord): To control different word break positions
(regards to space) for different platforms.

editing/FrameSelection.cpp:

(WebCore::FrameSelection::modifyMovingRight): Enable visual word movement for all platforms that use ICU.
(WebCore::FrameSelection::modifyMovingLeft):

editing/visible_units.cpp:

(WebCore::visualWordPosition): Determine the right word break position (regards to space) based on EditingBehavior.
(WebCore::leftWordPosition):
(WebCore::rightWordPosition):

(WebCore::PNGImageDecoder::rowAvailable): Check interlace buffer allocations
and bail via longjmp on failure. Note PNG_INTERLACE_ADAM7 is the only libpng
supported interlace type so test for it explicitly.

PNGImageDecoder supports image downsampling. Add ENABLE guards to show where
downsampling is applied when outputting decoded rows to the frame buffer. Most
ports don't enable the flag: don't penalize them in terms speed in this tight
row pixel write loop. s/y/destY/ to match setRGBA() and amend some comments.

I would remove the whole function, but doing so opens a whole can of worms
as this override is public, yet normally this function is *private* (well protected on RenderBox).
It seems plausible that frame flattening code needs this override since it doesn't always
call the min/maxPreferredWidth() calls which normally automatically call this compute*
function if the pref-widths are dirty.
Instead of trying to track that all down, I'm just removing this line, and we'll go
back and remove the whole function at a later date if possible.

This also adds support for the seamless sandbox flag from HTML 5.
The sandbox flag is not speficially overridable in the current HTML5,
but it is set (like all sandbox flags) by default when sandbox is specified.
Unfortunately this support is not yet observable in this patch, as
this patch adds not observable features of seamless.

I noticed that my previous testing did not confirm that iframes marked
for seamless (but not possible to display as seamless due to sandbox, etc.)
were still to have this seamless styling. I've added additional testing for this case.

I also added another test for the about:blank FIXME added as part of this change.

In order to support srcdoc w/ seamless, we needed to move the srcdoc determination
sooner in the initSecurityContext function (before the should-inherit early return).

The next patch will make seamless actually observable from JS/DOM, this one
just lays down all the plumbing, and separates the security aspects for
easy review.

I also added a new test for about:blank iframes (per a code-FIXME)
as well as some new testing to confirm that the default seamless-CSS style
applies even when iframes cannot render seamless due to security restrictions.

fast/frames/seamless/seamless-basic-expected.txt:

fast/frames/seamless/seamless-basic.html:

fast/frames/seamless/seamless-inherited-origin-expected.txt: Added.

fast/frames/seamless/seamless-inherited-origin.html: Added.

fast/frames/seamless/seamless-inline-expected.txt:

fast/frames/seamless/seamless-min-max-expected.txt:

fast/frames/seamless/seamless-nested-expected.txt:

fast/frames/seamless/seamless-quirks-expected.txt:

fast/frames/seamless/seamless-sandbox-flag-expected.txt:

fast/frames/seamless/seamless-sandbox-flag.html:

fast/frames/seamless/seamless-sandbox-srcdoc-expected.txt:

http/tests/security/seamless/seamless-cross-origin-expected.txt:

http/tests/security/seamless/seamless-sandbox-srcdoc-expected.txt:

svg/in-html/by-reference.html: was using seamless, but really doens't want to, doing so just adds noise.

NATIVE_FULLSCREEN_VIDEO means the fullscreen video is implemented by native
system view instead of webkit.
So it is more appropriate to use USE(NATIVE_FULLSCREEN_VIDEO).
This chagne also disabled the rendering of the fullscreen video element in webkit
when that flag is set.
Just renaming the variable, no new tests.

dom/Document.cpp:

(WebCore::Document::webkitWillEnterFullScreenForElement):
(WebCore):

platform/graphics/MediaPlayer.cpp:

(WebCore):

platform/graphics/MediaPlayer.h:

(MediaPlayer):

platform/graphics/MediaPlayerPrivate.h:

(MediaPlayerPrivateInterface):

Source/WebKit/chromium:

NATIVE_FULLSCREEN_VIDEO means the fullscreen video is implemented by native
system view instead of webkit
So it is more appropriate to use USE(NATIVE_FULLSCREEN_VIDEO).
Just rename the flag, no new tests

This chage forces us to allocate RenderLayers for overflow: hidden as it has been causing several
regressions. It leaves all of the scaffolding around to keep the change small. See bug 83954 for
the proper revert for trunk.

Remove the dependency on *Command.h files from Mac port's WebKit layer.
Also wrapped the call to TypingCommand::insertParagraphSeparatorInQuotedContent in the Editor class
so that we can just expose Editor's method instead of directly exposing the said static method.

Remove one bit from m_column (which should be fine as I wouldn't expect tables above 1 millions
columns to render at all anyway) to pack the bitfields in 32 bits. Re-arranged the bits to have the bigger
bitfield first.

Implements a naive dominator calculator, which is currently just used to
print information in graph dumps. I've enabled it by default mainly to
be able to track its performance impact. So far it appears that there is
none, which is unsurprising given that the number of basic blocks in most
procedures is small.

Also tweaked bytecode dumping to reveal more useful information about the
nature of the code block.

Added a bitvector class suitable for cheap static analysis. This class
differs from BitVector in that instead of optimizing for space, it
optimizes for execution time. Its API is also somewhat less friendly,
which is intentional; it's meant to be used in places where you know
up front how bit your bitvectors are going to be.

(WebCore::Page::startCountingRelevantRepaintedObjects):
Set m_isCountingRelevantRepaintedObjects to true after calling reset, since reset now sets it to false.

(WebCore::Page::resetRelevantPaintedObjectCounter):
Set m_isCountingRelevantRepaintedObjects to false.

(WebCore::Page::addRelevantRepaintedObject):
Use HashSet::find to avoid an extra hash lookup.

page/scrolling/ScrollingCoordinator.cpp:

(WebCore::ScrollingCoordinator::updateMainFrameScrollPositionAndScrollLayerPosition):
Remove the call to FrameView::updateCompositingLayersAfterLayout now, since FrameView::notifyScrollPositionChanged
already calls this and was making us to a lot of work twice.

A few of the dfg operations failed to correctly set the topCallFrame,
and so everything goes wrong. This patch corrects the effected operations,
and makes debug builds poison topCallFrame before calling a dfg operation.

The new preTargetedNode parameter can be used to pass in the Node that is
the target of the GestureTap event. If this parameter is used, adjustedPoint
is changed to be the center of the Node's bounding rectangle.

DOMWindowExtension::disconnectFrame assumed it would only be called when there was a frame
to disconnect. However, DOMWindow's destructor invokes disconnectFrame on all its
DOMWindowProperties, even if it already did so when it entered the page cache.

page/DOMWindowExtension.cpp:

(WebCore::DOMWindowExtension::disconnectFrame):
Don't do anything if the frame has already been disconnected.

Source/WebCore: Temporarily remove webkitSourceAddId() & webkitSourceRemoveId() from DOM
until the rest of the Media Source v0.5 methods are implemented. This is
to prevent ambiguity about whether v0.5 is fully supported or not.​https://bugs.webkit.org/show_bug.cgi?id=85295

These are all test cases which were written as part of implementing seamless
on my github branch: ​https://github.com/eseidel/webkit/compare/master...seamless
All of these will pass once the implementation is landed, which I am uploading
as a series of patches as we speak. Because the each of pieces
affects variety of tests, it seems easiest to read the implmentation
diffs if I land all the tests up-front.

Because some layers lock/unlock resources, it needs to be guaranteed
that if willDraw is called on a layer then didDraw will also be called
on that layer before another willDraw or before layer destruction. Add
asserts to make sure that this is the case.

willDraw is called via CCLayerTreeHostImpl::prepareToDraw ->
calculateRenderPasses. didDraw was previously called in
CCLayerTreeHostImpl::drawLayers. Sometimes drawLayers was being
skipped by the caller of these functions based on what prepareToDraw
returned (causing didDraw to not be called). Fix this by having an
explicit step to call didDraw on all layers. This new didDrawAllLayers
function must be called if and only if prepareToDraw is called.

This is currently broken for values-animation. The accumulation should happen after a full cycle of the values animation ran (aka. at the end of the duration).
A values animation works like this: iterate over the list of values, and calculate a 'from' and 'to' value for a given time. Example for values="0; 30; 20" dur="2s":

0.0s .. 1.0s -> from=0, to=30

1.0s .. 2.0s -> from=30, to=20

Accumulation currently is taken into account at each interval for a values-animation instead of the end of the cycle. Fix that
by passing an additional 'toAtEndOfDuration' type to calculateAnimatedValue() which is used for accumulation instead of the
current 'to' value.

(WebCore::parseNumber): A helper for parseDate().
(WebCore::LocaleWin::parseNumberOrMonth): ditto.
(WebCore::LocaleWin::parseDate):
Parse a user-provided date string by matching with a DateFormatToken list.

(WebCore::appendNumber): A helper for formatDate().
(WebCore::appendTwoDigitsNumber): ditto. Write at least two digits.
(WebCore::appendFourDigitsNumber): ditto. Write at least four digits.
(WebCore::LocaleWin::formatDate):
Format a DateComponents by iterating a DateFormatToken list.

Prepare RenderBoxModelObject for FractionalLayoutUnits by adding rounding
logic to calculateBackgroundImageGeometry. Background images, as all
images, needs to be layed out on pixel boundaries thus we need to convert
it to a integer value.

(WebCore::RenderTableCell::styleDidChange):
Switched the rowWasSet check to an ASSERT. The new logic guarantees that
row index was set straight when we insert the row. The previous logic was
opened to some race conditions as we could wait for a recalcCells call before
setting the index on the rows which made this check necessary.

(WebCore::RenderTableRow::setRowIndex):
(WebCore::RenderTableRow::rowIndex):
Added those getter / setter. Also kept m_rowIndex's smaller size
for future optimization and for symmetry with the column index on
RenderTableCell.

rendering/RenderTableSection.cpp:

(WebCore::RenderTableSection::addChild):
(WebCore::RenderTableSection::recalcCells):
Made sure that whenever we insert or update our row index
we do call setRowIndex().

(WebCore::RenderTableSection::addCell):
This logic now doesn't need to query insertionRow as the cell's
should have the index of the row in which it is inserted.

Each platform will have a different set of input types that support the datalist UI.
This patch makes shouldRespectListAttribute ask the RenderTheme if it supports datalist UI for that input type.
Thus making it possible to do feature detection with JS.

Reviewed by Kent Tamura.

WebCore.gypi: Added RenderThemeChromiumCommon.{cpp,h}

html/ColorInputType.cpp:

(WebCore::ColorInputType::shouldRespectListAttribute):
(WebCore):

html/ColorInputType.h:

(ColorInputType):

html/InputType.cpp:

(WebCore::InputType::themeSupportsDataListUI): Static method used by TextFieldInputType, RangeInputType, and ColorInputType.
(WebCore):

html/InputType.h:

(InputType):

html/RangeInputType.cpp:

(WebCore::RangeInputType::shouldRespectListAttribute):

html/TextFieldInputType.cpp:

(WebCore::TextFieldInputType::shouldRespectListAttribute):

rendering/RenderTheme.h:

(RenderTheme):
(WebCore::RenderTheme::supportsDataListUI): Returns true if the platform can show the datalist suggestions for a given input type.

Reverting RenderObject::maximalOutlineSize to int. This is a slop value for repaint
rects that doesn't affect layout. It also derives its value from RenderView's function
of the same name, which is already an integer.

When zooming, we need to be careful about how to convert the visible rect from float to int.
Using toAlignedRect can produce inconsistent width and height when we are scrolling.
This patch carefully modifies each piece of the visible rect, to avoid such rounding errors.
In addition, the TransformationMatrix we use for painting, needs to be adjusted for the same rounding error.

We have a checked type that allows us to automate many of the
bounds checks we want here, so let's replace the floating point
math, and just use Checked<> throughout. We use a non-recording
Checked<> as no overflows should reach this point, so we'll take
a hard early failure, over the cost of many branches when
accessing the raw values in loops.

Adding an absoluteValue free inline function that operates on LayoutUnits, which
allows us to have one function signature for ints or FractionalLayoutUnits. We
can't simply add a FractionalLayoutUnit flavor of abs because it confuses
some compilers due to the implicit FractionalLayoutUnit constructors that take
ints and floats.

Updating LayoutUnit usage in a pair of remaining functions to minimize the remaining work to switching
to FractionalLayoutUnits for layout instead of integers.

No new tests. No change in behavior.

rendering/InlineFlowBox.cpp:

(WebCore::InlineFlowBox::placeBoxesInBlockDirection): Though stored as a float, the top is always
set to an integer value. When we move to sub-pixel, we need to preserve this. Not preserving this
behavior affects text decorations, most notably underlines.

rendering/RenderWidget.cpp:

(WebCore::RenderWidget::updateWidgetGeometry): Adding pixel snapping for the content box if it's
not transformed (absoluteContentBox includes pixel snapping), and properly treating the boundingBox
as an IntRect.

Bailing from the space distribution loop in layoutHorizontal/VerticalBox when
the remaining space falls below one pixel. This has no effect in whole-pixel
layout, but avoids unnecessary work/infinite loops in the sub-pixel case.

The crash was caused by a malformed range obtained within an event handler of mutation events
(DOMNodeRemovedFromDocument). Because this range wasn't updated per node removal, range functions
end up not behaving well.

Fixed the bug by changing the order of the notifications in ContainerNode::willRemoveChild.
We now fire mutation events first before updating ranges so that any range created inside those
event handlers can also be updated prior to the actual node removal.

Test: fast/dom/Range/range-created-in-mutation-event-crash.xhtml

dom/ContainerNode.cpp:

(WebCore::willRemoveChild):

LayoutTests:

Add a regression test. We use alert here instead of innerHTML, textContent, etc...
because document element is no longer well-formed at the end of the test.

The call to updateMainFrameScrollPosition was added to make the WebKit2 find overlay work, since it relies
on scroll position updates being synchronous. Change the find code in WebKit2 to handle asynchronous scroll
position updates and remove the call to updateMainFrameScrollPosition.

page/scrolling/ScrollingCoordinator.cpp:

(WebCore::ScrollingCoordinator::requestScrollPositionUpdate):

Source/WebKit2:

The find machinery should cope with asynchronous scroll position updates.

WebProcess/WebPage/FindController.cpp:

(WebKit::FindController::updateFindUIAfterPageScroll):
Split the code that handles updating the find indicator and find overlay out into a separate function.

(WebKit::FindController::findString):
Call updateFindUIAfterPageScroll once we know that the scroll position has been updated.

Add DrawingArea::dispatchAfterEnsuringUpdatedScrollPosition, which will call the given function object after
making sure that the scroll position has been updated correctly. This is important for TiledCoreAnimationDrawingArea,
which updates the scrolling position asynchronously.

WebProcess/WebPage/DrawingArea.cpp:

(WebKit::DrawingArea::dispatchAfterEnsuringUpdatedScrollPosition):
Since scroll position updates are synchronous by default, just call function directly.

WebProcess/WebPage/mac/TiledCoreAnimationDrawingArea.mm:

(WebKit::TiledCoreAnimationDrawingArea::dispatchAfterEnsuringUpdatedScrollPosition):
Commit the layer tree state and then use ScrollingThread::dispatchBarrier to make sure that the function is called when any
scroll position changes have been made. If possible, freeze the layer tree to make sure that the update is atomic.

Update platform code to use the pixel snapped values for painting rects
to line up with device pixels and change platform specific hit testing
code to use roundedPoint as hit testing is still mostly done on integer
bounds.

When invoking StringImpl::startsWidth() or StringImpl::endsWith() with
a string literal, a new String was constructed implicitly, allocating
a new StringImpl and copying the characters for the operation.

This patch adds a version of those methods for single characters and
string literals.
This allows us to avoid allocating memory and use the characters in place,
and it permits some extra shortcuts in the implementation.

(WebCore::AutoTableLayout::calcEffectiveLogicalWidth):
As we are spreading the cell's min / max logical width, we should be updating them.
This prevents the following logic getting confused and allocating more than needed.

Add a ScrollingThread::dispatchBarrier function which takes a WTF::Function and dispatches it to the main thread
once all the currently scheduled scrolling thread functions have run. This is to be used for synchronization between the
scrolling thread and the main thread.

On android, the fullscreen video was implemented by passing a java
surfaceView to an android mediaplayer class.
The implementation of that logic should happen in WebKit::WebMediaPlayer.
This change makes it possble for WebViewImpl::enterFullScreenForElement()
to call WebMediaPlayer->enterFullscreen(), thus solving the issue.

Sorry, there is a merge error during the previous commit, resolved now

No new tests. This just exposes the flag so later it can be used by android.

When radix, we use to turn the doubleValue into a JSValue just to convert
it to a String. The problem is that was using the slow path for conversion and
for the toString() operation.

This patch shortcuts the creation of a JSValue and uses NumericStrings directly.
The conversion is split between Integer and Double to ensure the fastest conversion
for the common case of integer arguments.

Converting number with radix 10 becomes 5% faster.

Due to the simpler conversion of number to string for integer, converting
integers that do not fall in the two previous optimizations get 32% faster.

Add a new flag for controlling the fixed point denominator in
FractionalLayoutUnit. Controls whether the denominator is set to 60 or 1.
Until we change the LayoutUnit typedef this change will have no effect.

No new tests, no change in functionality.

platform/FractionalLayoutUnit.h:

(WebCore):
(WebCore::FractionalLayoutUnit::operator++):
(WebCore::operator/):
(WebCore::operator+):
Add ++, / double and and + double operators. These are needed when
ENABLE_SUBPIXEL_LAYOUT is not enabled.

platform/graphics/FractionalLayoutRect.cpp:

(WebCore::enclosingFractionalLayoutRect):

Source/WTF:

Reviewed by Eric Seidel.

Add a new flag for controlling the fixed point denominator in
FractionalLayoutUnit. Controls whether the denominator is set to 60 or 1.
Until we change the LayoutUnit typedef this change will have no effect.

As commented in ​https://bugs.webkit.org/show_bug.cgi?id=79963#c16 we do not
usually subclass basic types like Vector. This patch changes code to use
Vector<Attribute> directly and move around the functionality of the former
methods to more specific helper functions or inline code at the callers.

(WebCore::HTMLTreeBuilder::processFakeStartTag):
(WebCore::HTMLTreeBuilder::attributesForIsindexInput): Loop through the attributes
backwards so we can remove items without affecting the rest of the loop run.

StyleImage::computeIntrinsicDimensions() is only called from one
place: RenderBoxModelObject::calculateIntrinsicDimensions(), and that
is only used for background images and border images. In my original
image-set work, I decided that
StyleCachedImageSet::computeIntrinsicDimensions() would compute
"intrinsic" dimensions, meaning that they would compute the dimensions
that the image resource was pretending to be rather than the actual
dimensions of the resource. I chose to do this because it made
background images work great without changing the call-site. But border
images need to know the actual intrinsic dimensions, so this design
decision (which was admittedly questionable from the start) won't
stick.

This patch makes StyleImage::computeIntrinsicDimensions() return
actual intrinsic dimensions. Then the border-image and background-
image code is very lightly patched to account for the image's scale
factor.

These functions no longer need the scale factor parameter.

loader/cache/CachedImage.cpp:

(WebCore::CachedImage::computeIntrinsicDimensions):

loader/cache/CachedImage.h:

(CachedImage):

platform/graphics/GeneratedImage.h:

(GeneratedImage):

platform/graphics/GeneratorGeneratedImage.cpp:

(WebCore::GeneratedImage::computeIntrinsicDimensions):

platform/graphics/Image.cpp:

(WebCore::Image::computeIntrinsicDimensions):

platform/graphics/Image.h:

(Image):

platform/graphics/cg/PDFDocumentImage.cpp:

(WebCore::PDFDocumentImage::computeIntrinsicDimensions):

platform/graphics/cg/PDFDocumentImage.h:

(PDFDocumentImage):

svg/graphics/SVGImage.cpp:

(WebCore::SVGImage::computeIntrinsicDimensions):

svg/graphics/SVGImage.h:

(SVGImage):

rendering/style/StyleCachedImageSet.cpp:

(WebCore::StyleCachedImageSet::computeIntrinsicDimensions):

New function on StyleImage returns the image's scale factor.

rendering/style/StyleCachedImageSet.h:

(WebCore::StyleCachedImageSet::imageScaleFactor):

rendering/style/StyleImage.h:

(WebCore::StyleImage::imageScaleFactor):

Scale the intrinsic size of the background image down by the scale
factor.

rendering/RenderBoxModelObject.cpp:

(WebCore::RenderBoxModelObject::calculateFillTileSize):

Slices should be multiplied by the image's scale factor since they are
always expected to the specified in the 1x image's coordinate space.
(WebCore::RenderBoxModelObject::paintNinePieceImage):

There was a reference cycle between CSSImageSetValue and StyleCachedImageSet via
CSSImageSetValue::m_imageSet / StyleCachedImageSet::m_imageSetValue. Break the cycle
by having StyleCachedImageSet hold a weak reference to the CSSImageSetValue rather
than a strong reference.

Instead of automatically using an intermediate surface for layers with opacity and
children, we limit surface usage for layers with more than one child and for layers with
one child and contents of its own.

This prevents us from using intermediate surfaces in cases where a single layer with
opacity has a single descendant with content, in which case normal blending can be used.

When pasting a copied portion of a blockquote with a newline at the end into an unquoted area,
the newline is inserted after the blockquote since we don't want it also to be quoted. However,
this behavior has also applied when we insert a paragraph between quoted lines, which is incorrect.
To figure out the right place to insert a paragraph, we need providing more information to the
InsertParagraphSeparatorCommand by introducing a boolean parameter "pasteBlockqutoeIntoUnquotedArea".

Add a new public class to the API, WebKitFileChooserRequest, to be
emitted along with a new WebKitWebView::run-file-chooser signal to
let client applications to provide their own file chooser dialog
when the use interacts with HTML Input elements of type 'file'.

Provide private API to make a file chooser request from the
WebView, and provide a default handler for it.

UIProcess/API/gtk/WebKitWebView.cpp:

(fileChooserDialogResponseCallback): Handler for the 'response'
signal for the GtkFileChooserDialog used in the default
handler. It will call to webkit_file_chooser_request_select_files
or webkit_file_chooser_request_cancel as needed.
(webkitWebViewRunFileChooser): Default handler for the new
'run-file-chooser' signal. It will create a GtkFileChooserDialog,
connect to the 'response' signal and show it.
(webkit_web_view_class_init): Connect the 'run-file-chooser'
signal to the default handler, webkitWebViewRunFileChooser.
(webkitWebViewRunFileChooserRequest):

UIProcess/API/gtk/WebKitWebView.h:

(_WebKitWebViewClass): Added prototype for the handler of the new
'run-file-chooser' signal.

UIProcess/API/gtk/WebKitWebViewPrivate.h: Added prototype for

private new function webkitWebViewRunFileChooserRequest.

Provide an implementation for runOpenPanel in WebKitUIClient.

UIProcess/API/gtk/WebKitUIClient.cpp:

(runOpenPanel): New, implements runOpenPanel by creating an
instance of WebKitFileChooserRequest and asking the WebView to
emit the 'run-file-chooser' signal with it.
(attachUIClientToView): Reference the new runOpenPanel function.

Added the new publich header to the main header.

UIProcess/API/gtk/webkit2.h: Added WebKitFileChooserRequest.h.

New unit tests for the new WebKitFileChooserRequest API. Also,
extended the WebViewTest class to allow simulating mouse clicks.

UIProcess/API/gtk/tests/TestWebKitWebView.cpp:

(checkMimeTypeForFilter): New, checks whether a GtkFileFilter
filters a given MIME type, as specified by RFC 2046.
(testWebViewFileChooserRequest): New unit test.
(beforeAll): Add the new unit test as an UIClientTest.

UIProcess/API/gtk/tests/WebViewTest.cpp:

(WebViewTest::clickMouseButton): New public function to simulate a
mouse click through GdkEvents, as the combination of a 'press' and
a 'release' event. Used from the new unit test to simulate the
user pressing in the button rendered for a HTML Input element.
(WebViewTest::executeMouseButtonEvent): New private function to
simulate a mouse event through GdkEvents.

It is good practice not to leave member variables uninitialized. They make debugging more difficult by reducing
repeatability, and in some cases lead to the possibility of information leakage occuring. This patch simply adds
initialization of m_numParsedPropertiesBeforeMarginBox to CSSParser's constructor to INVALID_NUM_PARSED_PROPERTIES
so that the initial state is the same as the state after the properties are cleared.

No tests added because this is a code style fix, not an actual bug so long as the bison generated code calls
startDeclarationsForMarginBox() and endDeclarationsForMarginBox() symmetrically. The lack of initialization was
originally detected by coverity.

We should use combined() instead of combinedForChildren() since we don't allow
intermediate surfaces for preserves-3d. Also, we should apply the offset before
multiplying the transforms, otherwise the transform-origin is incorrect.

This is not correct. The parsing can be done more than once,
and thus we cannot clear data. This patch removes the above code.

Consider the following situation:

(1) Assume '<body onresize="f()"></body>'.
(2) prepareListenerObject() runs.
(3) Since this is the first parsing, hasExistingListenerObject()
returns false. After the parsing, the listener object is set
by setListenerObject().
(4) GC runs. Since there is no strong reference to the listener
object, weakEventListenerCallback() is called back, and the listener
object is disposed.
(5) A resize event is triggered.
(6) prepareListenerObject() is called again. Since the listener object
is already disposed, hasExistingListenerObject() returns false,
and the second parsing starts.

In my investigation, the above situation is happening in the reported
Chromium bug. Anyway, I am sure that potentially the parsing can be
done more than once, and thus we must keep m_xxxx data.

No tests: I tried hard to create a DRT test, but could not.
The bug depends on the behavior of GC, and thus the reported bug is
non-deterministic. For example, (as explained in the Chromium issue,)
the bug does not happen if we load an HTML from network because
the network latency hides the bug. Also the bug happens in the
popup window only. If we open the reported HTML in the main window,
we cannot reproduce the bug.